I understand the initial challenge-response pattern when using Let's Encrypt, but I noticed that when testing renewals, no GET requests were hitting .well-known/acme-challenge
.
Once the domain/account keys are setup, does renewal ever have to touch .well-known? Can my account/domain keys ever expire and have to be refreshed?
My app requires specific mounts to serve that directory and if possible I would like to avoid the configuration overhead if it won't ever be used anyway. I can use a slimmer setup for the initial domain verification.